News US Attorney General Reignites Call For Encryption Backdoors

D

Deleted member 1353997

Guest
-> USA doesn't want China spying on them.
-> China has used NSA-made tools to spy on people in the past.
-> USA wants backdoors

I'm glad to see there are such great minds sharing their opinion on a subject as sensitive as security. It makes me feel very safe.
 
The unfortunate result of allowing anti-intellectuals to participate in governance....

A result of Politicians who want to control something they just don't understand. Even worse they don't possibly comprehend the choices of their decisions. It's a bit of a hypocrisy that Congress doesn't care what happens with spying, just as long as it doesn't happen to them.

That said, secrets can be exposed and hard to remove. (ie: Eternal Blue/Wanna Cry) and the ramifications ever lasting. The weakest link isn't the technology, but the people who use it and maintain it. People make mistakes. It's part of human nature. And the devices made by man (including back doors) therefore can be inherent with bad design choices including exploitable ones. No amount of code reviews, design, and security procedures can stop the weakest link: A dumb person (IE: A contractor who installed cracked keys on his classified laptop.) Or a politician who doesn't even listen to security rules (IE: Hillary Clinton's private email server)

There are only two remote controlled systems that are critical and can't be compromised. (Power plant controls, and our nuclear defenses) Why? Because there is no complete digital point A -> B and the technology is proprietary to just one specific system. The final end point of said commands is controlled by a human being. They are the ones who manually throw the switches on an isolated system. Quite simply compromising a device through a digital chain opens it up to remote compromise by threat actors.

It's entirely possible the back door can be exploited by other actors who the government did not intend. For example, a Russian, North Korean, Iranian, or Chinese hacker group may compromise someone in a sensitive position here in the USA. Look how WannaCry and Stuxnet type viruses were used against the public after they were exposed. There are always new ways to exploit once was thought safe. That includes encryption (WEP/WPA/TLS 1, etc...) and APIs (SMBv1, Struts) , languages (Javascript) and hardware (RowHammer/Spectre/Meltdown)

And to be honest they don't need more back doors. They solved a lot of these problems YEARS ago. They don't try to get around the encryption. They just compromise the end point where the end encryption happens. This way you have full access to that data and everything on that device that might be related.

Theres also another unintended side effect: If backdoors are suspected in your product, then the customers in question will move away from your product. There's a reason China is creating their own OS and CPU chips. And there's a reason the USA refuses to use Huawei isn't allowed to sell 5G infrastructure to the USA.
 
Last edited:
  • Like
Reactions: King_V
I'll say one more thing: Once you provide a common widely used ecosystem, that target becomes the #1 focus of people who attack them.

Windows wasn't subjected to so many viruses because it was less secure (Post XP) It was because Windows is the most ubiquitous platform, thereby providing for the largest potential of victims. Create a common backdoor access, and you just create a new #1 target to hack.

I said the same thing at PDC when Azure was released. Cloud services provide a new attack vector where exploits can be gained from a common interface. These interfaces can be accessed by any hacker. (ie: Amazon unecrypted S3 buckets)
 
Windows wasn't subjected to so many viruses because it was less secure (Post XP) It was because Windows is the most ubiquitous platform, thereby providing for the largest potential of victims.
windows is still the least secure platform out there, so you'll never be able to modify that security variable to test the hypothesis. I still maintain that exploits will, by and large, be directed toward those systems which provide fertile ground for such exploits; and that presumption has still never been demonstrated to be false by anything approaching credible evidence.

Just IMHO, you understand, and let's leave it at that. ;)
 
Nothing to hide here, but, he (The US AG) can kiss my --- anyway, this whole 'need to read all your stuff whenever we wish, in order to prevent crimes before they happen' mentality...

Sounds a bit like sacrificing liberty for 'security'...

There will always be something available, even if only usable within a Linux VM, that has no backdoors...
 
Last edited:
  • Like
Reactions: bit_user

bit_user

Polypheme
Ambassador
These guys are just absolutely ridiculous it just boggles me how they are in office and supported.
Really? You know who nominated him, right? One guess.

He got the job after writing an open letter about how the Mueller Investigation is BS.

Back when he was first Attorney General (1991), exporting > 40-bit encryption outside the US was illegal. I can't attribute that to him, in any way, but suffice to say he's a creature of that time.
 

bit_user

Polypheme
Ambassador
BTW, law enforcement will always request more capabilities. They will always claim they can stop more crimes, terrorism, etc., if they had it. I'm not saying they're wrong, but I will say I don't want to live in a police state. The 4th Amendment exists for a reason.

I think the cat is out of the bag, on strong encryption. The bad guys (especially the really bad ones) will always have it. And unless/until they can come up with the electronic equivalent of a warrant for surveillance (and the FISA court is a bad joke, BTW), the government cannot be trusted with the ability to eavesdrop on all electronic communications.
 

bit_user

Polypheme
Ambassador
It's a bit of a hypocrisy that Congress doesn't care what happens with spying, just as long as it doesn't happen to them.
Worse than that, Congress members don't want something bad to happen on their watch, after voting down a piece of legislation that conceivably could've prevented it. They're very risk-averse, with the biggest risk being perceived as a terrorist attack that they could've helped prevent.

There are only two remote controlled systems that are critical and can't be compromised. (Power plant controls, and our nuclear defenses) Why? Because there is no complete digital point A -> B and the technology is proprietary to just one specific system. The final end point of said commands is controlled by a human being. They are the ones who manually throw the switches on an isolated system.
It's interesting that you went on to mention stuxnet, because it successfully attacked just such a physically-isolated system. It was quite an elaborate attack, actually. Worth a read, for anyone unfamiliar with the details.

Also, nuclear power plants definitely use software. A guy I worked with had interned at Siemens and told me about how they would do code reviews on the machine code generated by the compiler!

And to be honest they don't need more back doors. They solved a lot of these problems YEARS ago. They don't try to get around the encryption. They just compromise the end point where the end encryption happens. This way you have full access to that data and everything on that device that might be related.
Perhaps you missed the part of the article where he was implying they want to do mass-surveillance. Unless you have a simple and systematic way of compromising all of the endpoints, you can't do that through endpoint attacks.
 
A result of Politicians who want to control something they just don't understand.
Keeping in mind, of course, that we were saddled with some representative or senator who was concerned about the additional weight of deployed military assets causing an island to capsize and sink...

Given how much these ignorant hucksters don't understand, it's pretty clear that the agenda of controlling what they don't understand is an impossible task.
 
Worse than that, Congress members don't want something bad to happen on their watch, after voting down a piece of legislation that conceivably could've prevented it. They're very risk-averse, with the biggest risk being perceived as a terrorist attack that they could've helped prevent.


It's interesting that you went on to mention stuxnet, because it successfully attacked just such a physically-isolated system. It was quite an elaborate attack, actually. Worth a read, for anyone unfamiliar with the details.

Also, nuclear power plants definitely use software. A guy I worked with had interned at Siemens and told me about how they would do code reviews on the machine code generated by the compiler!


Perhaps you missed the part of the article where he was implying they wan t to do mass-surveillance. Unless you have a simple and systematic way of compromising all of the endpoints, you can't do that through endpoint attacks.

Nuclear power plants have ZERO software controls to regulate the system. Control of the reactor itself is done via hand switches and non reprogramable safety systems. It is a true air gapped system. Even sensors use analog systems that cant be reprogrammed.

There is software for some things. But any thing that could endanger the cooling of the reactor is air gapped.

Stuxnet worked because these was a digital end point on a non proprietary open system where computers arbitrarly executed commands on a SCADA system which is an open standards system developed by seimens. If the centrifuges were truly isolated (air gapped) and set by hands it wouldnt have happened.

The article is somewhat misleading. They want the ability to listen in on any encrypted communication of someone they suspect of breaking the law. Otherwise it would be in violation of unreasonable search and seizure. Im not a lawyer so i cant say what the burden of proof would be for a john doe wire tap. But just because someone hangs with questionable people or areas doesnt mean they are guilty of anything. When i took criminology l remember an interesting statistic because the numbers added up nicely to 100%. Its like 95% of the crime happen in 5% of the city. So does that mean you get to wiretap everyone who comes in contact with that 5% of the city. The answer is obviously no. You have to have proof that crime is actually taking place before hand.

When they say mass survalence its poor words. Its more like mass access to survalence. But as long as there are programmers there will be new encryptions the govt cant touch like "signal" On a linux distro.

A big old game of cat and mouse with a false sense of security by both sides. Its a reflection of the niavity of policians in general. Enabling the back door makes them think it will make everyone safer. The fact is it could do the very opposite.

For wnd users thinking they wont get caught there are a ton of exploits available on honey pot websites. And even end to end encryptions systems can record your advertising id which google/apple points back to you. Windows is no better. Theres ways to digitally finger print you through your web browser even if you are running vpn encryption or tor.
 
Last edited:

bit_user

Polypheme
Ambassador
Stuxnet worked because these was a digital end point on a non proprietary open system where computers arbitrarly executed commands on a SCADA system which is an open standards system developed by seimens. If the centrifuges were truly isolated (air gapped) and set by hands it wouldnt have happened.
As I understand it, they had to use a "lost" USB flash drive in a parking lot to cross an air gap to infect the Step7 machines used to flash the programmable logic controllers in the centrifuges. However, the centrifuges themselves were isolated, which is a second airgap.

Indeed, there was a network-based vector - the USB drive needn't be plugged into the specific machine with the Step7 software - just a machine on the same network. Then, it spread via a network worm, in order to reach the Step7 machines. However, in the end, it crossed two air gaps, which is why the Iranians were quite so perplexed and did not initially suspect cyber-espionage.
 

bit_user

Polypheme
Ambassador
I dont use it. I dont have a reason to. But i understand the need for privacy.
Even though I don't use end-to-end encryption, I believe it's essential for a modern, free society.

People like human rights advocates, political dissidents, and opposition political parties need the ability to communicate safely and confidentially. If their ability to do that is compromised, the impacts will eventually ripple throughout society.

Imagine Richard Nixon had the ability to spy on his political opponents without getting caught, as happened in Watergate. You could have one political party holding onto power, indefinitely. To the extent you believe in democracy, you should regard 4th Amendment protections as no less essential than the 1st.
 
  • Like
Reactions: digitalgriffin
As I understand it, they had to use a "lost" USB flash drive in a parking lot to cross an air gap to infect the Step7 machines used to flash the programmable logic controllers in the centrifuges. However, the centrifuges themselves were isolated, which is a second airgap.

Indeed, there was a network-based vector - the USB drive needn't be plugged into the specific machine with the Step7 software - just a machine on the same network. Then, it spread via a network worm, in order to reach the Step7 machines. However, in the end, it crossed two air gaps, which is why the Iranians were quite so perplexed and did not initially suspect cyber-espionage.
Even though I don't use end-to-end encryption, I believe it's essential for a modern, free society.

People like human rights advocates, political dissidents, and opposition political parties need the ability to communicate safely and confidentially. If their ability to do that is compromised, the impacts will eventually ripple throughout society.

Imagine Richard Nixon had the ability to spy on his political opponents without getting caught, as happened in Watergate. You could have one political party holding onto power, indefinitely. To the extent you believe in democracy, you should regard 4th Amendment protections as no less essential than the 1st.

This is quite true.